PrintNightmare and Resting Easy with MyQ

“PrintNightmare” is the name for a series of serious security vulnerabilities with the Windows Print Spooler service (CVE-2021-34481 and CVE-2021-34527). While these problems broke out into the open in mid-2021, the conditions that led to it are still haunting the sleep of sysadmins.

The PrintNightmare vulnerability enabled any user within an organization’s network to exploit the domain controller via the Windows Spooler and compromise the Microsoft Active Directory domain. It allowed attackers to run code with system privileges – just as long as they had credentials of any authenticated user.

Microsoft’s Print Spooler service is the network intermediary between printers and individual computers. It accepts print jobs from the computer, makes sure that printer resources are available, and schedules the order for print jobs to be queued. For domain controllers, the Print Spooler service gets the list of printers from Active Directory and checks if the print server is reachable or if the printer is still being shared.

Yes, the Spooler has an important role but it’s not essential. Even though some print management solutions do use it extensively, it has long been recognized as a security risk with Microsoft recommending that domain controllers and Active Directory admin systems disable this service when it is not required.

There is a risk from oversharing

Windows Spooler issues were increased exponentially by a communication breakdown between security researchers and Microsoft. In a nutshell, two researchers shared their findings – and a proof of concept – about this vulnerability before Microsoft had a fully functional patch prepared for it. These research findings went viral in not a good way. In addition, Microsoft needed several – not one – patches to take care of most of the issues. One of their major corrective steps was to require users to have administrative privileges when using the Point and Print feature to install printer drivers. There were also complaints over how these steps were implemented.  

Are you practicing safe computing? 

Prematurely publishing researchers were just the visible start of the issue. PrintNightmare was really accelerated due to admins practicing “unsafe computing.”

“This is really due to the common practice of sharing drivers over the network via Microsoft Print Spooler,” said Václav Salava, senior support specialist at MyQ. “I would call this systemically risky behavior.”

While Print Spooler has been important, but as a known security risk, it should not be a mandatory element within any print management software. It first went global when it was incorporated into the Stuxnet worm as the famous zero-day vulnerability CVE-2010-2729. Remember, even Microsoft recommends disabling it. 

Rest easy with MyQ

At MyQ, there were no alarms flashing over the PrintNightmare and the Print Spooler issues – and there are two good reasons for this. First, MyQ X does not require the Print Spooler service. Second, MyQ has long encouraged customers to set up their environment without print driver sharing. "The print driver can be installed directly to client computers", pointed out Václav. With MyQ X, this can be done by an admin via a management script for distributing drivers. In addition, there are several driverless printing methods which customers can use as well. These alternatives include AirPrint, web upload, email printing, and mobile printing with the MyQ X Mobile Client.

For better, more secure dreams, put the Print Spooler service to sleep.

get the secure myq X